SearchLeak: How a Microsoft 365 Copilot Search Link Became a One-Click Data Exfiltration Path
SearchLeak shows how a trusted Microsoft 365 Copilot Enterprise Search URL can turn dangerous when the q parameter is treated as instructions instead of a query. Varonis chained that parameter-to-prompt flaw with a streaming HTML rendering race and a Bing image SSRF path, so one click could move user-accessible Microsoft 365 data into an attacker-controlled URL. Defenders need pre-model query validation, render-before-network sanitization, and data-flow policy on outbound fetches.
Threat Analysis
- Step 1: hide instructions in the search URL. The attacker puts prompt-like text in the Copilot Search
qparameter. The link still points to Microsoft, but the query asks Copilot to find internal data and place a value inside an image URL. - Step 2: run the query with the victim's access. After the victim clicks, Copilot treats
qas instructions and searches Microsoft 365 content the user can reach, including mailbox, calendar, SharePoint, OneDrive, and indexed organizational files. - Step 3: exploit streaming output. Copilot streams an HTML
imgtag before final sanitization turns the answer into inert text. The browser sees the tag and sends the image request before the renderer catches up. - Step 4: relay through Bing. CSP blocks direct attacker domains, but Bing image-search endpoints are allowed. Bing then performs the server-side fetch to the attacker URL, with the selected Microsoft 365 data carried in the path. Microsoft remediated the issue as CVE-2026-42824.
Applicable AIDEFEND Defenses (8)
q parameter should be treated as untrusted model input before Copilot dispatch. A practical edge gate would canonicalize the value, enforce size and encoding rules, and reject prompt-like instructions such as searching sensitive data and placing it into an image URL.q parameters, prompt-like search text, streamed image tags, Bing image-search requests, and attacker-shaped final URLs.What Defenders Should Do Now
- Verify Microsoft's remediation for CVE-2026-42824 and keep tracking service advisories, release notes, and any tenant-specific security guidance for Microsoft 365 Copilot.
- Limit Copilot's data access scope so it does not read unnecessary high-sensitivity data. Review SharePoint, OneDrive, mailbox, calendar, and external-sharing permissions; remove broad access; and label or protect high-sensitivity data with DLP where possible.
- Add detections in the tools the enterprise actually controls, such as Defender, Purview, proxy, CASB, or SIEM. Useful signals include suspicious Copilot Search links, long or encoded
qparameters, Bing image-search requests, and internal-looking values inside outbound URL paths. - Treat Copilot Search links as a phishing and data-exfiltration surface. Give users a simple reporting path for unexpected Copilot links, especially links that arrive through email or chat and contain unusually long query strings.
- Use this case in AI product security reviews. Ask Microsoft or any copilot provider how it validates search parameters, sanitizes streaming output before network requests, inspects final URL destinations, prevents SSRF relay paths, and blocks sensitive values from flowing into external URLs.
Conclusion
SearchLeak matters because it turns several small product behaviors into one working attack chain: a search parameter becomes an instruction, streamed model output becomes browser behavior, and an allowlisted Microsoft service becomes the final network relay. The lesson is to enforce boundaries where data changes role: before search text becomes model input, before model output becomes browser activity, and before Microsoft 365 data can enter an external URL.
Many of the strongest controls must live inside the product. Enterprise customers still have work to do: verify remediation, limit Copilot's data access scope, monitor suspicious outbound connection behavior, and use this case as a concrete requirement in AI product security reviews.